[ISN] NIST releases security controls proposal

From: InfoSec News (isn@private)
Date: Tue Nov 04 2003 - 02:40:00 PST

  • Next message: InfoSec News: "[ISN] Four ways to secure your company on a shoestring budget"

    http://www.fcw.com/fcw/articles/2003/1103/web-nist-11-03-03.asp
    
    By Diane Frank 
    Nov. 3, 2003
    
    The National Institute for Standards and Technology today released the 
    first draft of a publication describing mandated security controls for 
    federal information systems.
    
    NIST officials want agencies to experiment with the initial public
    draft, "Special Publication 800-53: Recommended Security Controls for
    Federal Information Systems." [1] It outlines electronic and physical
    controls for systems categorized under three levels of potential
    impacts, such as what would happen if someone steals information from
    a federal system and modifies the data or disrupts a government
    service.
    
    Low-, medium- and high-impact levels are defined in draft "Federal 
    Information Processing Standard (FIPS) 199: Standards for Security 
    Categorization of Federal Information and Information Systems." NIST 
    officials released the final draft of that standard in September. 
    
    Controls outlined in the Publication 800-53 draft fall into three 
    classes -- management, operational and technical — and are then broken 
    down further into families. For example, under the management class, 
    families include security planning and acquisition of information 
    systems and services. Operational class families focus on issues such 
    as incident response and contingency planning and operations.
    
    NIST's Computer Security Division plans to use agencies' comments from 
    the initial draft and an open workshop in March to develop final 
    security controls that would become the new "FIPS 200: Minimum 
    Security Controls for Federal Information Systems."
    
    FIPS 199 and 200 are required under the Federal Information Security 
    Management Act of 2002. NIST expects to publish FIPS 200 in the fall 
    of 2005, when its controls will become mandatory for all federal 
    agencies.
    
    Comments are due by Jan. 31, 2004, and may be submitted to 
    sec-cert@private
    
    [1] http://csrc.nist.gov/publications/drafts.html
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 04:58:35 PST